If you enable iChat encryption, .Mac will generate a Certificate and key with your .Mac name and store it in your keychain. This is used to encrypt iChat text and video, and it works well.

But did you know ... you can also use your .Mac certificate to sign and encrypt email? To do this, open Keychain Access (in Applications/Utilities), and check that your .Mac certificate is there. Then open the Preferences panel in Keychain Access and check the Search .Mac for Certificates box.

You can then start Apple's Mail app, and choose your .Mac email account as the sending account in a new message. When you do, you will see icons (as seen to the right) above the message window to toggle on/off encrypting (the lock icon) and digital signing (the checkmark) of email. Remember, though, to encrypt email to another person, you must have their certificate in your keychain.

[robg adds: I tested this with another .Mac user, and it worked as described.]

This is correct.
If you have your own x509 or other type of certificate, you can send a signed message to a friend.
He also sends you a signed message from his email account.
OSX Mail keeps track of the S/MIME certificates sent to you by others, and the next time you compose a message to your friend, you now have the option of not just siging your email, but also encrypting it.

This way, nobody in transit can read the text of your email.

Digital signing is useful in and of itself. It allows you to send email 'with authority'. That is, the receiver knows it comes from you, without having to already exchanged keys with you (as with PGP).

The added bonus of encrypted communications can be used to protect personal, or business data transmitted via email.

Ok, so I know who verisign is and I would trust them I guess but what would make them more "trusted" than Apple Computer or Microsoft or any other major company? Maybe I don't get the whole certificate thing but basically we are trusting that Apple is a real company who issues unique digital signatures to people and that if I ask them to verify who's key was used to secure an email that they will not lie.

It's worth noting, I sent a message to Thawte on 3 separate occasions. They never responded:

Hello,

I signed up for a digital certificate a few weeks ago with you. I received and set everything up on my end, and subsequently tested a scenario to ensure the security of my email communication, as follows:

1. I sent an email from my digital-certificate signed email account (...@mac.com) to an alternate non-signed email account (...@yahoo.com), with the message body "asdf."
2. In my yahoo account, I redirected this email to a 3rd alternate non-signed email account (...@gmail.com), adding this text to the message body: jkl;
3. In my gmail account I received the redirected email with the altered message body, yet still showing signed by ...@mac.com

It appears to me that this digital signature is not accurate, because the message was altered by the recipient and then re-directed to another email. See test email chain below. I've emailed you several times regarding this issue and have not received a response.

I do not have a problem with thawte, and I have been a Web of Trust notary with them for a couple years now.

The point of giving over unique, personally identifable informaiton to a Certificate Authority is that you can get your certificates trusted by a top-level third party. Having gone through the authentication process with thawte, I feel very confident with any email certifcate issued by thawte with a person's name on it.

I have also gone through the WOT assurance process with CACert.org, a group that gives out free email and SSL certificates.

Yes, you are giving out valuable information to a third party. But you do this all the time to Banks, doctors' offices, and your employer. I fear an underpaid clerk at the HR department at work selling my identity more than I do a company like thawte, which is in the business of keeping secrets, after all.

I can not get this to work. I have the .Mac certificate and also have enabled the Preference settings as described but the security options do not appear in the Mail composition window. Any suggestions?

The signature feature with pre 12/5/05 certs seemed a little flaky. One could make changes in-transit and the mail was still "signed". Encryption seemed to work properly (I did not test extensively). NOTE - the certs did not include the required email address. This may have caused the issues.

The post 12/5/05 certificates have the email feature specifically turned off. I'm curious to see if apple corrects the problems and turns it back on. Anyone with a 12/6/05 or later cert have working email?

I can't get it to work either. iChat encryption is on. I have a new "Apple .Mac Certificate Authority" certificate in the Keychain Access

I have a certificate with my email name of type certificate. Note that it does not include the "@mac.com" portion in Key Chain manager name field - that is how iChat added it when I clicked the button. Likewise the "Common Name" in the certificate does not include the "@mac.com" portion. Don't know if it should or not, but it was created that way by iChat.

I did download the thawte version and the options show up perfectly, so it must be something strange with the iChat version.

Having been a Mac user since 1984 and a ][ user before that, it is little things like that where Apple needs to have everything "just work." That is one of the best features of the Mac, everything should "just work."

This wasn't working for me because the "Search .Mac for Certificates" preferences wasn't sticking. I did a Keychain First Aid and found that my ~/Library/Preferences/com.apple.security.plist file had an owner of root instead of my user name. Since Keychain First Aid couldn't fix it and chown refused, I ended up copying the file to a new one, deleting the old one, and copying the copy back. Now things work fine. (FWIW, I also tried repair permissions from the Disk Utility and that did not fix the problem.)

The signature feature with pre 12/5/05 certs seemed a little flaky. One could make changes in-transit and the mail was still "signed". Encryption seemed to work properly (I did not test extensively). NOTE - the certs did not include the required email address. This may have caused the issues.

The post 12/5/05 certificates have the email feature specifically turned off. I'm curious to see if apple corrects the problems and turns it back on. Anyone with a 12/6/05 or later cert have working email?

I think the problem is that the Mac OS X short account name is not the same as the iChat name (befor the @). I recently switched accounts and named it to my first name instead of the second, and now it doesn't work anymore. Can someone confirm this connection?